Connect with us

Hi, what are you looking for?


DNS resolution over VPN not working on Windows 10

DNS resolution over VPN not working on Windows 10


DNS servers and suffixes configured for VPN connections in Windows 10 are used to resolve names using DNS in a file force tunnel the situation (“Use the default gateway on the remote networkEnable option) if your VPN connection is active. In this case, you cannot resolve DNS names in your local network or access the Internet using your internal LAN.

At the same time, you can ping any resources on your LAN (try pinging the gateway, a nearby computer, or the IP address of the printer). They are only available through IP addresses, but not through their hostnames. The fact is that Windows 10 tries to resolve hostnames in your local network through the DNS servers specified in the VPN connection settings.

I found some recommendations on disabling IPv6 for your local interface (LAN) and it will help if you want to use Force-Tunneling mode.

If you are using files split tunneling (the “Use the default gateway on the remote network“Unchecked) for your VPN connection, you can access the internet from your local network, but you can’t resolve DNS addresses in the remote VPN (disabling IPv6 doesn’t help here).

You must understand that Windows sends a DNS query from the network interface, which has the highest priority (a lower value for the interface metric). For example, your VPN connection works in Split Tunneling mode (you want to access the Internet from your LAN and your company’s resources via VPN).

Check the values โ€‹โ€‹of all network interface metrics from PowerShell:

Get-NetIPInterface | interstitial object sort

The screenshot above shows that the local Ethernet connection has a lower metric (25) than the VPN interface (100). So the DNS traffic goes through the interface with the lowest metric value. This means that your DNS requests are sent to the local DNS servers instead of to the DNS servers of the VPN connection. In this configuration, you cannot resolve names in the connected external VPN.

Additionally, a new feature of the DNS client for Windows 8.1 and Windows 10 should be mentioned here. Accuracy Multi-humid Smart Name (SMHNR) has been added in these OS versions for faster response to DNS requests. By default, SMHNR sends simultaneous DNS requests to all DNS servers known to the system and uses the response it received first (LLMNR and NetBT queries are also sent). It is not secure because external DNS servers (selected for your VPN connection) can see your DNS traffic (leak your DNS requests). You can disable SMHNR in Windows 10 via GPO: Computer Configuration -> Administrative Templates -> Network -> DNS Client-> Turn off intelligent multi-homed name resolution = Enabled.

Or you can disable SMHNR using the following commands (in Windows 8.1):

Set-ItemProperty -Path “HKLM:SoftwarePoliciesMicrosoftWindows NTDNSClient” -DisableSmartNameResolution -Value 1 -Type DWord
Set-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesDnscacheParameters” -Name DisableParallelAandAAAA -Value 1 -Type DWord

In Windows 10 Creators Update (1709) and later, DNS requests are sent to all known DNS servers one by one (not in parallel). You can increase the priority of a particular DNS if you lower its metrics.

So changing the interface scaling allows you to send DNS requests over the connection (LAN or VPN) where name resolution is your highest priority.

Thus, the lower the value of the interface scale, the higher the priority of the connection. Windows automatically benchmarks IPv4 interfaces based on their speed and type. For example, a LAN connection with a speed of more than 200 Mbit / s has a metric value of 10, and a Wi-Fi connection with a speed of 50-80 Mbit / s has a value of 50 (see table /299540/an-explanation-of-the-automatic-metric-feature-for-ipv4-routes).

You can change the interface scaling from Windows GUI, PowerShell, or with an extension naughty ordering.

For example, you want to send your DNS requests through your VPN connection. You should increase the metrics for your LAN connections so that their values โ€‹โ€‹exceed 100 (in my example).

go to Control Panel -> Network and Internet -> Network Connections, open the properties of your Ethernet connection, select TCP / IPv4 properties and go to Advanced TCP/IP Settings tab. Deselect a file automatic metric option and change the interface scale to 120.

You can do the same with the following PowerShell command (use the index of your LAN interface which you can get with the Get-NetIPInterface cmdlet):

Set-NetIPInterface -InterfaceIndex 11 -InterfaceMetric 120

or using files naughty (Select the name of your LAN connection):

netsh interface set int ip = “Ethernet0” metric = 120

In the same way you can reduce the metric value in the properties of your VPN connection.

You can also change your VPN connection settings by changing the mode to Split Tunneling and specifying the DNS suffix to connect using PowerShell:

Get VpnConnection
Set-VpnConnection -Name “VPN_work” -SplitTunneling $True
Set-VpnConnection -Name “VPN_work” -DnsSuffix

Don’t forget to share this post with friends !

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *



AnyConnect certificate-based authentication. Cisco community ๐Ÿ‘จโ€๐Ÿ’ป The information in this document is based on the following software and hardware versions: ASA 5510 running software...


AnyConnect: Install a self-signed certificate as a trusted source ๐Ÿ‘จโ€๐Ÿ’ป kmgmt-2879-cbs-220-config-security-port objective The goal of this article is to walk you through creating and...


Top 5 Free AV Packages – ๐Ÿ‘Œ Bitdefender Antivirus Free Edition best interface Positives Works on Windows 7 and 8.1 Very easy to use...


Avira Free Antivirus Review for Mac / Windows and Android are the most common targets for malware programmers, but that doesn’t mean macOS is...